[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Wired Story on Uncovering Users of Hidden Services.

A recent story in Wired is entitled "Visit the Wrong Website and the FBI Could End Up in Your Computer" by Kevin Poulsen (http://www.wired.com/2014/08/operation_torpedo/). The story involves the FBI uncovering the IP addresses of numerous users of a Tor hidden service.

I know this was mentioned previously (https://lists.torproject.org/pipermail/tor-talk/2014-August/034270.html) but I am interested in a different aspect.

Within the story, there is a link to a PDF of an application for a search warrant (https://www.documentcloud.org/documents/1261620-torpedo-affidavit.html) which provides illuminating reading (parts are a bit disgusting as they refer to the content of the hidden service which was serving child porn).

In short, the FBI arrested the owner of the hidden service, took over the server, then installed a "Network Investigative Technique" (malware) which collected the IP of visitors. See pages 31-33 of the PDF affidavit.

Three questions:

If it's possible for the owner of a hidden service (whether the FBI or a regular person) to install malware which grabs visitors' IPs, then what is stopping any hidden service owner from doing this?

The Wired article states that "In a two-week period, the FBI collected IP addresses, hardware MAC addresses (a unique hardware identifier for the computerâs network or Wi-Fi card) and Windows hostnames on at least 25 visitors to the sites. Subpoenas to ISPs produced home addresses and subscriber names, and in April 2013, five months after the NIT deployment, the bureau staged coordinated raids around the country."

However, in the affidavit, I'm not sure that MAC addresses are mentioned.

Considering the number of individuals that must have visited the hidden service, this doesn't seem to be very many people. Why were so few identified? Were the 25 using outdated browsers (TBB)?

How, in this case, was it possible for the FBI to learn the IP addresses of visitors to this hidden service? The Tor hidden server page states that "In general, the complete connection between client and hidden service consists of 6 relays: 3 of them were picked by the client with the third being the rendezvous point and the other 3 were picked by the hidden service."

Can someone knowledgeable please explain how visitors to a Tor hidden service can have their real IPs detected?

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to